Security Alert Summary
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress contains an access control vulnerability that affects all versions up to and including 6.26.14. Missing capability checks and authentication verification on the OAuth redirect functionality allow an unauthenticated actor to set the global redirect URL via the redirect_url parameter when the oauthredirect option parameter is accessible.
CVE Details
- CVE ID: CVE-2025-10753
- Affected component: The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress
- Affected versions: All versions up to, and including, 6.26.14
- Published: February 6, 2026 at 7:16 AM (UTC)
- Last modified: February 6, 2026 at 3:14 PM (UTC)
- CVSS v3.1: Base Score 5.3, Severity MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Authentication / Privileges / User Interaction: No authentication or privileges required; no user interaction required (PR:N, UI:N).
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- CWE: CWE-862 (Missing Authorization)
Technical Details
The plugin fails to perform capability checks and authentication verification on its OAuth redirect functionality exposed via the oauthredirect option parameter. An unauthenticated request that supplies the redirect_url parameter can update the global redirect URL option without validating the requestor’s privileges. Because the global redirect URL controls where users are sent after certain OAuth flows, an attacker who can access the vulnerable endpoint directly can change that setting.
The issue is an authorization/permission check omission rather than a flaw in the authentication protocol itself. The description indicates the problem stems from missing checks around the option handling for oauthredirect and the processing of the redirect_url parameter.
How This Could Impact Your Website
Consider a site with a site owner, internal staff (editors or administrators), and an external contributor or contractor who uses the plugin for single sign-on. An unauthenticated attacker who can reach the vulnerable function could change the global redirect URL to point to an external site. As a result, users attempting to sign in or use OAuth flows might be redirected to an attacker-controlled page, increasing the risk of credential harvesting or targeted phishing attempts aimed at your staff or contributors.
This vulnerability impacts the integrity of the redirect setting rather than directly exposing content or credentials in place; it creates an avenue for redirect-based attacks that can be used as part of broader social engineering. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (If a fixed version is not specified in the CVE entry, check the plugin’s official repository or vendor advisory.)
- Review and reduce unnecessary user roles and capabilities, especially for contributors and other low-privilege accounts.
- Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and configuration changes (including option updates) for unusual behavior, especially changes to redirect-related settings.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L260
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399223%40miniorange-login-with-eve-online-google-facebook&new=3399223%40miniorange-login-with-eve-online-google-facebook&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/915e1a6e-ad9c-4849-8ae0-3ded18720a1f?source=cve